OK, I’ve worked out what’s going on. Leonidas is right, it’s not just the hash that gets encrypted (in the case of the Cipher class method), it’s the ID of the hash algorithm concatenated with the digest:
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
Which is why the encryption by the Cipher and Signature are different.